1015-微信抢红包案例(三)抢红包方法_用伪代码还原
还原此类:WCRedEnvelopesReceiveControlLogic
@interface NMMUINavigationViewController
@end
@interface NewMainFrameViewController //
@interface BaseMsgContentViewController // 消息
@interface ContactsContentViewController // 通讯录
@interface FindFriendEntryViewController // 发现
@interface MoreViewController // 更多
@interface NewMainFrameRightTopMenuBtn
@end
@interface MMBarButton
@end
@interface BaseMsgContentViewController : MMObject
- (_Bool)onLoadDownMoreMessage;
- (void)AddLocationMessageWithLocation:(id)arg1;
- (void)OnModMsg:(id)arg1 MsgWrap:(id)arg2;
- (void)AddMsg:(id)arg1 MsgWrap:(id)arg2;
hook以下方法
- (void)OnAddMsg:(id)arg1 MsgWrap:(id)arg2;
- (void)DidAddMsg:(id)arg1;
@end
@interface CMessageMgr //消息的中转站
hook以下方法
- (void)MainThreadNotifyToExt:(id)arg1;
@end
@interface WCRedEnvelopesReceiveHomeView : MMUIView
- (void)OnOpenRedEnvelopes;
//分析源码,静态分析,通过IDA。汇编
- 真正的抢红包方法
@end
//------------------------- 开始:WeChatHeader.h -------------------------
// 001--WeChatDemo11
// Created by H on 2018/5/18.
// Copyright © 2018年 H. All rights reserved.
//
#ifndef WeChatHeader_h
#define WeChatHeader_h
// See http://iphonedevwiki.net/index.php/Logos
#import <UIKit/UIKit.h>
#define HKDefaults [NSUserDefaults standardUserDefaults]
#define HKSWITCHKEY @"HKSWITCHKEY"
#define HKTIMEKEY @"HKTIMEKEY"
//关于界面
@interface MMTableViewInfo
- (long long)numberOfSectionsInTableView:(id)arg1;
@end
@interface WCRedEnvelopesReceiveHomeView{
id m_delegate;
NSDictionary *m_dicBaseInfo;
}
@end
@interface WCPayInfoItem :NSObject
@property(retain, nonatomic) NSString *m_c2cNativeUrl;
@end
@interface CMessageWrap :NSObject
@property(retain, nonatomic) WCPayInfoItem *m_oWCPayInfoItem;
@end
@interface WCRedEnvelopesControlData :NSObject
@property(retain, nonatomic) CMessageWrap *m_oSelectedMessageWrap;
@property(retain, nonatomic) NSDictionary *m_structDicRedEnvelopesBaseInfo;
@end
@interface WCRedEnvelopesControlLogic{
WCRedEnvelopesControlData *m_data;
}
@end
@interface WCRedEnvelopesReceiveControlLogic:WCRedEnvelopesControlLogic
@end
@interface WCBizUtil: NSObject
+ (id)dictionaryWithDecodedComponets:(id)arg1 separator:(id)arg2;
@end
#endif /* WeChatHeader_h */
//------------------------- 结束:WeChatHeader.h -------------------------
//========================= 开始:_01__WeChatDemo11Dylib.xm =========================
@interface MMServiceCenter
+(id)defaultCenter;
-(id)getService:(Class)arg1;
@end
@interface MMMsgLogicManager
-(id)GetCurrentLogicController;
@end
@interface WeixinContentLogicController
-(id)m_contact;
@end
@interface WCRedEnvelopesLogicMgr
-(void)OpenRedEnvelopesRequest:(id)dic;
@end
@interface CContactMgr
-(id)getSelfContact;
@end
@interface CBaseContact
@property(retain, nonatomic) NSString *m_nsHeadImgUrl;
@property(retain, nonatomic) NSString *m_nsUsrName;
@end
@interface CContact :CBaseContact
-(id)getContactDisplayName;
@end
@interface WCPayLogicMgr
- (void)setRealnameReportScene:(unsigned int)arg1;
- (void)checkHongbaoOpenLicense:(id)arg1 acceptCallback:(void(^)())arg2 denyCallback:(void(^)())arg3;
@end
//========================= 结束:_01__WeChatDemo11Dylib.xm =========================
/***************************************************************************
@interface WeiXinContentLogicController: BaseMsgContentViewController
@end
@interface BaseMsgContentLogicController : MMObject
{
BaseMsgContentViewController *m_viewController;
CBaseContact *m_contact;
CContactVerifyLogic *m_contactVerifyLogic;
}
@end
**************************************************************************/
%hook
- (void)OpenRedEnvelopesRequest:(id)arg1 {
NSLOg(@"%@",arg1)
%orgi;
}
%end
WCRedEnvelopesControlData *m_data = self.m_data;
CMessageWrap *msgWrap = [m_data m_oSelectedMessageWrap];
WCPayInfoItem *item = [msgWrap m_oWCPayInfoItem];
NSString *url = [item m_c2cNativeUrl];
//合并方法:拿到红包的url
NSString *url = [[[self.m_data m_oSelectedMessageWrap]
m_o WCPayInfoItem]
m_c2cNativeUrl];
//--------------------逻辑分析 --------
// 微信应该有一个专门管理消息的对象!
// 这个方法到底 是谁调用来的!! 看函数调用栈!!
%hook WCRedEnvelopesReceiveHomeView
- (void)OnOpenRedEnvelopes{
%orig;
// //拿到成员变量
// NSDictionary * dict = c
// //打印字典
// NSArray * arr = [dict allKeys];
// for(int i = 0;i < arr.count ;i++){
// NSLog(@"%@:%@",arr[i],[dict objectForKey:arr[i]]);
// }
// //拿到代理
// WeChatdelegate * delegate = MSHookIvar<WeChatdelegate *>(self,"m_delegate");
//
// [delegate WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes];
// NSLog(@"delegateClass: %@",[delegate class]);
}
%end
%hook CMessageMgr
- (void)onNewSyncAddMessage:(id)arg1{
NSLog(@"%@\n%@",arg1,[arg1 class]);
//通过分析,找到红包的消息类型是49!
//if type == 49 {开抢!!!! }
%orig;
}
%end
%hook WCRedEnvelopesReceiveControlLogic
-(void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes{
//伪代码
WCRedEnvelopesControlData * m_data = MSHookIvar<WCRedEnvelopesControlData *>(self,"m_data");
CMessageWrap * msgWrap = [m_data m_oSelectedMessageWrap];
WCPayInfoItem * payInfoItem = [msgWrap m_oWCPayInfoItem];
NSString * c2cNativeUrl = [payInfoItem m_c2cNativeUrl];
NSUInteger len = [@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length];
NSString * c2cNativeUrl2 = [c2cNativeUrl substringFromIndex:len];
NSDictionary * url_dic = [%c(WCBizUtil) dictionaryWithDecodedComponets:c2cNativeUrl2 separator:@"&"];
NSMutableDictionary * mutalbe_dic = [%c(NSMutableDictionary) dictionary];
[mutalbe_dic setObject:@"1" forKey:@"msgType"];
[mutalbe_dic setObject:url_dic[@"sendid"] forKey:@"sendId"];
[mutalbe_dic setObject:url_dic[@"channelid"] forKey:@"channelId"];
MMServiceCenter * mmserCent = [%c(MMServiceCenter) defaultCenter];
Class ccmgr = [%c(CContactMgr) class];
CContactMgr * contactMgr = [mmserCent getService:ccmgr];
CContact * selfContact = [contactMgr getSelfContact];
// displayName --> NSTaggePointString
id displayName = [selfContact getContactDisplayName];
NSLog(@"---displayName= %@",[displayName class]);
[mutalbe_dic setObject:displayName forKey:@"nickName"];
[mutalbe_dic setObject:[selfContact m_nsHeadImgUrl] forKey:@"headImg"];
if (msgWrap)
{
NSString * nativeUrl = c2cNativeUrl;
[mutalbe_dic setObject:nativeUrl forKey:@"nativeUrl"];
}
MMMsgLogicManager * redEvenlopsLogicMgr = [[%c(MMServiceCenter) defaultCenter] getService:[%c(MMMsgLogicManager) class]];
WeixinContentLogicController * currentLogicContoller = [redEvenlopsLogicMgr GetCurrentLogicController];
if ( currentLogicContoller )
{
CBaseContact * m_contact = [currentLogicContoller m_contact];
if ( m_contact ){
CBaseContact * contact = [currentLogicContoller m_contact];
NSString * nsUsrName = [contact m_nsUsrName];
if ( nsUsrName ){
[mutalbe_dic setObject:nsUsrName forKey:@"sessionUserName"];
}
}
}
NSDictionary * m_dicBaseInfo = [m_data m_structDicRedEnvelopesBaseInfo];
NSString * timingIdentifier = m_dicBaseInfo[@"timingIdentifier"];
if ([timingIdentifier length]){
[mutalbe_dic setObject:timingIdentifier forKey:@"timingIdentifier"];
}
WCPayLogicMgr * payLogic = [[%c(MMServiceCenter) defaultCenter] getService:[%c(WCPayLogicMgr) class]];
[payLogic setRealnameReportScene:(unsigned int)1003];
id subScript = [m_dicBaseInfo objectForKeyedSubscript:@"agree_duty"];
[payLogic checkHongbaoOpenLicense:subScript acceptCallback:^(){
WCRedEnvelopesLogicMgr * redEvenlopsLogicMgr = [[%c(MMServiceCenter) defaultCenter] getService:[%c(WCRedEnvelopesLogicMgr) class]];
[redEvenlopsLogicMgr OpenRedEnvelopesRequest:mutalbe_dic];
} denyCallback:^(){
}];
}
%end
2.1、File --> Script file (Alt + F7) --> 显示部分为代码类与方法
image.png
2.2、全选,复制到 Sublime Text 中查看,并 推算出伪代码
image.png
3、恢复block 符号表
通过开源项目:restore-symbol 恢复
3.1 使用ida 通过 ida_search_block.py 脚本 生成 block_symbol.json 文件,放入 restore-symbol2 项目中
3.2、 终端使用,goshell 直接进入文件 恢复 符号表
$ ./restore-symbol WeChat -o WeChat_block -j block_symbol.json
WeChat: 140.6 M
WeChat_arm64:75.3 M
WeChatMachO: 84.5 M //恢复后 变大了
WeChat_block: 94M
3.3、 WeChat_block 改名为 WeChat --> 再放入WeChat.ipa 包内
( WeChat.ipa 包内:先删掉原来的 WeChat,即替换 )
3.4、 重新用ida 解析,搜索查看 WCRedEnvelopesReceiveControlLogic
image.png
image.png
网友评论